Accelerating Method of Snapshot Investigation for Rollback from Ransomware

1. A method for a host computer communicatively coupled to a storage system, the method comprising: executing, on the host computer, a storage plug-in configured to request the storage system to provide a list of snapshots generated from a volume mounted to the host computer; the host computer receiving, from the storage system, the list of snapshots accessible by the host computer in response to the request; for an issuance of a restore request of the volume to the storage plug-in from the host computer: a) disabling data caching in the host computer for the volume; b) purging cache data in the host computer; and c) after completion of the purging of the cache data in the host computer, requesting the storage system to mount a selected snapshot from the list of snapshots to the host computer, wherein the storage system swaps a snapshot of the volume to the selected snapshot.

2. The method of claim 1 , further comprising, for the issuance of the restore request of the volume to the storage plug-in from the host computer: determining whether the volume is infected by malware; for the determination indicative of the volume being infected by malware, updating a status of the volume as being infected by malware; for the determination indicative of the volume not being infected by malware, updating the status of the volume as being normal.

3. The method of claim 1 , further comprising associating each snapshot in the list of snapshots with a status based on a detection of malware for the each snapshot.

4. The method of claim 1 , further comprising, for the issuance of a restore request of the volume to the storage plug-in from the host computer: re-enabling the data caching in the host computer for the volume; determining whether the selected snapshot is infected by malware; for a determination that the selected snapshot is infected by malware: determining whether a previously selected snapshot is infected by malware; for the determination that the previously selected snapshot is infected by malware, selecting another snapshot from the list of snapshots that is earlier than the selected snapshot and re-iterating a) to c) with the another snapshot; and for the determination that the previously selected snapshot is not infected by malware, restoring the volume from the previously selected snapshot.

5. The method of claim 1 , further comprising, for the issuance of a restore request of the volume to the storage plug-in from the host computer: re-enabling the data caching in the host computer for the volume; determining whether the selected snapshot is infected by malware; for a determination that the selected snapshot is not infected by malware: determining whether a later snapshot from the list of snapshots is infected by malware; for the determination that the later snapshot is infected by malware, restoring the volume from the selected snapshot; and for the determination that the later snapshot is not infected by malware; selecting another snapshot from the list of snapshots that is later than the selected snapshot and re-iterating a) to c) with the another snapshot.

6. The method of claim 1 , further comprising selecting the selected snapshot through a user selection.

7. The method of claim 1 , further comprising instructing the storage system to select the selected snapshot.

8. A non-transitory computer readable medium, storing instructions for a host computer communicatively coupled to a storage system, the instructions comprising: executing, on the host computer, a storage plug-in configured to request the storage system to provide a list of snapshots generated from a volume mounted to the host computer; the host computer receiving, from the storage system, the list of snapshots accessible by the host computer in response to the request; for an issuance of a restore request of the volume to the storage plug-in from the host computer: a) disabling data caching in the host computer for the volume; b) purging cache data in the host computer; and c) after completion of the purging of the cache data in the host computer, requesting the storage system to mount a selected snapshot from the list of snapshots to the host computer, wherein the storage system swaps a snapshot of the volume to the selected snapshot.

9. The non-transitory computer readable medium of claim 8 , the instructions further comprising, for the issuance of the restore request of the volume to the storage plug-in from the host computer: determining whether the volume is infected by malware; for the determination indicative of the volume being infected by malware, updating a status of the volume as being infected by malware; for the determination indicative of the volume not being infected by malware, updating the status of the volume as being normal.

10. The non-transitory computer readable medium of claim 8 , the instructions further comprising associating each snapshot in the list of snapshots with a status based on a detection of malware for the each snapshot.

11. The non-transitory computer readable medium of claim 8 , the instructions further comprising, for the issuance of a restore request of the volume to the storage plug-in from the host computer: re-enabling the data caching in the host computer for the volume; determining whether the selected snapshot is infected by malware; for a determination that the selected snapshot is infected by malware: determining whether a previously selected snapshot is infected by malware; for the determination that the previously selected snapshot is infected by malware, selecting another snapshot from the list of snapshots that is earlier than the selected snapshot and re-iterating a) to c) with the another snapshot; and for the determination that the previously selected snapshot is not infected by malware, restoring the volume from the previously selected snapshot.

12. The non-transitory computer readable medium of claim 8 , the instructions further comprising, for the issuance of a restore request of the volume to the storage plug-in from the host computer: re-enabling the data caching in the host computer for the volume; determining whether the selected snapshot is infected by malware; for a determination that the selected snapshot is not infected by malware: determining whether a later snapshot from the list of snapshots is infected by malware; for the determination that the later snapshot is infected by malware, restoring the volume from the selected snapshot; and for the determination that the later snapshot is not infected by malware; selecting another snapshot from the list of snapshots that is later than the selected snapshot and re-iterating a) to c) with the another snapshot.

13. The non-transitory computer readable medium of claim 8 , the instructions further comprising selecting the selected snapshot through a user selection.

14. The non-transitory computer readable medium of claim 8 , the instructions further comprising instructing the storage system to select the selected snapshot.